SlideShare a Scribd company logo

5 Proven Success Strategies for your Software Security Program - LASCON 2013

Bankim Tejani
Bankim Tejani

These proven strategies will help you establish and improve your software security program. They have been accumulated through years of consulting & advising companies and government agencies of all sizes & types on their software security programs. Each strategy will be presented with context of when to apply it, why it works, and why less successful strategies fail.

BusinessTechnology
1 of 29
Download to read offline
Success Strategies for Software Security Programs @BankimTejani #LASCON2013 Thursday, 24 October, 2013 1
Background Began career as a software developer Transitioned to information security & software security Worked to establish software security programs Trained developers, architects, managers, and security teams Currently: Senior Security Architect at ServiceMesh Thursday, 24 October, 2013 2
Scoping Compliance Triage Incident response Punishing development teams Magic tools you can buy Thursday, 24 October, 2013 Proactive iterative improvement Repeatability & predictability Empowering development Hardened software Using tools effectively 3
Success Strategies Developer Education & Learning Software Security Roadmap Integration to Development Teams’ SDLC(s) Use Tools Effectively Join the Development Team Thursday, 24 October, 2013 4
Developer Education Thursday, 24 October, 2013 5
Developer Education Security is an afterthought in developer education Top curriculums still treat security as advanced topic Organizations invest little in skills development Training can check boxes or teach, but rarely both Thursday, 24 October, 2013 6
Training Options Formats Computer-based training In-person lecture courses In-person workshops Lunch & Learn Tribal Thursday, 24 October, 2013 7
Case Study: Learning Org 1 Org 2 Mandatory CBT awareness training 1 developer per team received in person technical training on generic code Thursday, 24 October, 2013 All developers received in person technical training Their application was the primary code used Specific focus on fixing top issues in their code 8
Case Study: Learning Org 1 Org 2 Development continued as normal Fixed 10x the requested number of issues Few issues got fixed Proactively identified problem areas and sought help if needed Relied on security to tell them what to do Re-applied good patterns to new code Thursday, 24 October, 2013 9
Developer Education Tips Must have buy-in from management Vendors can help, but choose wisely Invest in everyone, not subsets Use your own code, where possible Commit to follow-up actions Developers move & change, so refreshers needed Thursday, 24 October, 2013 10
Software Security Roadmap Thursday, 24 October, 2013 11
Software Security Roadmap Year 1 Year 2 Year 3 SQL Injection Race conditions Error handling XSS Unreleased resources Dead code removal Web server configuration Additional configuration Log forging Other Injections Session related issues Thursday, 24 October, 2013 Information leaks API abuse 12
Software Security Roadmap Identify & communicate software security goals Make security a planned requirement Empower & reward teams to be ahead of the curve Reduce untimely security blockers Achievable, measurable results Thursday, 24 October, 2013 13
Case Study Org 1 Identified 3 top issues for year 1, based on prior audits & incidents Prioritized future years, as a rough draft Trained developers only on current priorities Thursday, 24 October, 2013 Org 2 Actively avoided prioritizing Crafted a metric weighting vendor-provided criticality Created arbitrary success line of vulnerability density 14
Case Study Org 1 Significant drop in key issues Top development teams planned ahead, got rewarded Trained developers only on current priorities Thursday, 24 October, 2013 Org 2 Development teams gamed the system, did minimum Failed internal audit Expended too much political capital to rearchitect program 15
Roadmap Tips Must have buy-in from management One roadmap isn’t likely to fit all teams & app types Negotiation is a good thing Roadmap should drive investment in tools & training Thursday, 24 October, 2013 16
Integration to SDLC(s) Thursday, 24 October, 2013 17
Integration to SDLC(s) Software security is an ex post facto activity SDLCs are methodologies that aim to make software development predictable & manageable Types: Waterfall, Spiral, Agile, Extreme, etc Empowering security in development necessitates having security managed in their SDLC Thursday, 24 October, 2013 18
Secure SDLC Activities Thursday, 24 October, 2013 19
SDLC Integration Tips Treat security changes and features as product requirements Business priorities drive SDLCs, so security must be tied to business goals Requires security to be part of the development team Thursday, 24 October, 2013 Processes don’t change, they evolve Every activity must be planned, manageable, and achievable Opportunity for security team to learn & grow Trying is succeeding 20
Use Tools Effectively Thursday, 24 October, 2013 21
Use Tools Effectively Software security tools: Static analysis Ability to find vulnerabilities greatly exceeds the ability to fix applications Dynamic analysis There are no bad tools Testing & attack tools Selecting the right tool for the right job isn’t easy Scanners & checkers Thursday, 24 October, 2013 22
Tool Selection & Usage Software Security Roadmap should drive selection criteria Different software stacks often require different tools Empower teams to integrate tools into their SDLC Structure usage & success around roadmap & training Thursday, 24 October, 2013 23
Case Study Team A Had quality-centric static analysis in place Forced to adopt a security-centric static analysis tool Wasted time & energy to implement something with little tangible gain Thursday, 24 October, 2013 Team B Automated static analysis tool to run with every weekly build Re-configured results to align to agreed roadmap Measured improvement against roadmap every release 24
Tool Tips Vendors are neither friend nor foe Tune settings and results to fit your roadmap & SDLC Automation is often more valuable than ease of use Enable users to quickly go to actionable items Thursday, 24 October, 2013 A quicker feedback cycle is vital to developer productivity False positives happen, get over it False negative happen, plan for it 25
Join the Development Team! Thursday, 24 October, 2013 26
Join the Development Team! Core concept of DevOps, Rugged models Move security from corporate function to a development team or product function Requires security teams to contribute to software goals Take ownership and drive improvements Thursday, 24 October, 2013 27
Lessons Learned Prioritizing is a continuous balancing act Credibility improves when you’re a peer, not oversight Security improvements can happen organically More vulnerabilities averted at early stages Opportunities evolved as a result Thursday, 24 October, 2013 28
Questions? @bankimtejani, #lascon2013 bankim.tejani@owasp.org Thursday, 24 October, 2013 29

Recommended

Quality In Action - May 2011
Quality In Action - May 2011Quality In Action - May 2011
Quality In Action - May 2011Mentoring Partnership of Minnesota
 
Exercise Perceptions: Experience Report From A Secure Software Development Co...
Exercise Perceptions: Experience Report From A Secure Software Development Co...Exercise Perceptions: Experience Report From A Secure Software Development Co...
Exercise Perceptions: Experience Report From A Secure Software Development Co...Akond Rahman
 
How Do Students Feel About Automated Security Static Analysis Exercises?
How Do Students Feel About Automated Security Static Analysis Exercises? How Do Students Feel About Automated Security Static Analysis Exercises?
How Do Students Feel About Automated Security Static Analysis Exercises? Akond Rahman
 
Words that Matter
Words that MatterWords that Matter
Words that MatterMiguel Angel Castillo, CPA, CRMA
 
Adapting Agile Principles in Distributed Software Development
Adapting Agile Principles in Distributed Software DevelopmentAdapting Agile Principles in Distributed Software Development
Adapting Agile Principles in Distributed Software DevelopmentEsin Karaman
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'WHSZachJones
 
JayaPoojitha_Resume.doc
JayaPoojitha_Resume.docJayaPoojitha_Resume.doc
JayaPoojitha_Resume.docJaya Poojitha Sayee Venkatesan
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedkonchada
 

Recommended

Quality In Action - May 2011
Quality In Action - May 2011Quality In Action - May 2011
Quality In Action - May 2011Mentoring Partnership of Minnesota
 
Exercise Perceptions: Experience Report From A Secure Software Development Co...
Exercise Perceptions: Experience Report From A Secure Software Development Co...Exercise Perceptions: Experience Report From A Secure Software Development Co...
Exercise Perceptions: Experience Report From A Secure Software Development Co...Akond Rahman
 
How Do Students Feel About Automated Security Static Analysis Exercises?
How Do Students Feel About Automated Security Static Analysis Exercises? How Do Students Feel About Automated Security Static Analysis Exercises?
How Do Students Feel About Automated Security Static Analysis Exercises? Akond Rahman
 
Words that Matter
Words that MatterWords that Matter
Words that MatterMiguel Angel Castillo, CPA, CRMA
 
Adapting Agile Principles in Distributed Software Development
Adapting Agile Principles in Distributed Software DevelopmentAdapting Agile Principles in Distributed Software Development
Adapting Agile Principles in Distributed Software DevelopmentEsin Karaman
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'WHSZachJones
 
JayaPoojitha_Resume.doc
JayaPoojitha_Resume.docJayaPoojitha_Resume.doc
JayaPoojitha_Resume.docJaya Poojitha Sayee Venkatesan
 
Saikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedSaikiran_CV_Operational Risk_updated
Saikiran_CV_Operational Risk_updatedkonchada
 
Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3Aladdin Dandis
 
Forgotten? Ignored? Obsolete? Static testing techniques
Forgotten? Ignored? Obsolete? Static testing techniquesForgotten? Ignored? Obsolete? Static testing techniques
Forgotten? Ignored? Obsolete? Static testing techniquesMikhail Pavlov
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnicalJack585826
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
Technology ahia 2012 jmk
Technology ahia 2012 jmkTechnology ahia 2012 jmk
Technology ahia 2012 jmkJim Kaplan CIA CFE
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McEstelaJeffery653
 
Hp2413471352
Hp2413471352Hp2413471352
Hp2413471352IJERA Editor
 
Taloring A Clouded Data Security Life Cycle Essay
Taloring A Clouded Data Security Life Cycle EssayTaloring A Clouded Data Security Life Cycle Essay
Taloring A Clouded Data Security Life Cycle EssayMarisela Stone
 
Software Testing ppt
Software Testing pptSoftware Testing ppt
Software Testing pptPratibha Singh
 
Improvement opportunity in agile methodology and a survey on the adoption rat...
Improvement opportunity in agile methodology and a survey on the adoption rat...Improvement opportunity in agile methodology and a survey on the adoption rat...
Improvement opportunity in agile methodology and a survey on the adoption rat...Alexander Decker
 
Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxOrlando Trajano
 
The Vital Role of Test Data Management in Software Development.pdf
The Vital Role of Test Data Management in Software Development.pdfThe Vital Role of Test Data Management in Software Development.pdf
The Vital Role of Test Data Management in Software Development.pdfRohitBhandari66
 
Security_by_Design.pdf
Security_by_Design.pdfSecurity_by_Design.pdf
Security_by_Design.pdfAshuPatel64
 
Security_by_Design.pptx
Security_by_Design.pptxSecurity_by_Design.pptx
Security_by_Design.pptxAshuPatel64
 
Mindtree agile offering.
Mindtree agile offering.Mindtree agile offering.
Mindtree agile offering.Mindtree Ltd.
 
Agile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USA
Agile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USAAgile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USA
Agile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USATestrig Technologies
 
Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Anju21552
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessmentpchronis
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 

More Related Content

Similar to 5 Proven Success Strategies for your Software Security Program - LASCON 2013

Forgotten? Ignored? Obsolete? Static testing techniques
Forgotten? Ignored? Obsolete? Static testing techniquesForgotten? Ignored? Obsolete? Static testing techniques
Forgotten? Ignored? Obsolete? Static testing techniquesMikhail Pavlov
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnicalJack585826
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McEstelaJeffery653
 
Taloring A Clouded Data Security Life Cycle Essay
Taloring A Clouded Data Security Life Cycle EssayTaloring A Clouded Data Security Life Cycle Essay
Taloring A Clouded Data Security Life Cycle EssayMarisela Stone
 
Improvement opportunity in agile methodology and a survey on the adoption rat...
Improvement opportunity in agile methodology and a survey on the adoption rat...Improvement opportunity in agile methodology and a survey on the adoption rat...
Improvement opportunity in agile methodology and a survey on the adoption rat...Alexander Decker
 
Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxOrlando Trajano
 
The Vital Role of Test Data Management in Software Development.pdf
The Vital Role of Test Data Management in Software Development.pdfThe Vital Role of Test Data Management in Software Development.pdf
The Vital Role of Test Data Management in Software Development.pdfRohitBhandari66
 
Security_by_Design.pdf
Security_by_Design.pdfSecurity_by_Design.pdf
Security_by_Design.pdfAshuPatel64
 
Security_by_Design.pptx
Security_by_Design.pptxSecurity_by_Design.pptx
Security_by_Design.pptxAshuPatel64
 
Mindtree agile offering.
Mindtree agile offering.Mindtree agile offering.
Mindtree agile offering.Mindtree Ltd.
 
Agile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USA
Agile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USAAgile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USA
Agile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USATestrig Technologies
 
Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Anju21552
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessmentpchronis
 

Similar to 5 Proven Success Strategies for your Software Security Program - LASCON 2013 (20)

Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3
 
Forgotten? Ignored? Obsolete? Static testing techniques
Forgotten? Ignored? Obsolete? Static testing techniquesForgotten? Ignored? Obsolete? Static testing techniques
Forgotten? Ignored? Obsolete? Static testing techniques
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
Technology ahia 2012 jmk
Technology ahia 2012 jmkTechnology ahia 2012 jmk
Technology ahia 2012 jmk
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by Mc
 
Hp2413471352
Hp2413471352Hp2413471352
Hp2413471352
 
Taloring A Clouded Data Security Life Cycle Essay
Taloring A Clouded Data Security Life Cycle EssayTaloring A Clouded Data Security Life Cycle Essay
Taloring A Clouded Data Security Life Cycle Essay
 
Software Testing ppt
Software Testing pptSoftware Testing ppt
Software Testing ppt
 
Improvement opportunity in agile methodology and a survey on the adoption rat...
Improvement opportunity in agile methodology and a survey on the adoption rat...Improvement opportunity in agile methodology and a survey on the adoption rat...
Improvement opportunity in agile methodology and a survey on the adoption rat...
 
Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptx
 
The Vital Role of Test Data Management in Software Development.pdf
The Vital Role of Test Data Management in Software Development.pdfThe Vital Role of Test Data Management in Software Development.pdf
The Vital Role of Test Data Management in Software Development.pdf
 
Security_by_Design.pdf
Security_by_Design.pdfSecurity_by_Design.pdf
Security_by_Design.pdf
 
Security_by_Design.pptx
Security_by_Design.pptxSecurity_by_Design.pptx
Security_by_Design.pptx
 
Mindtree agile offering.
Mindtree agile offering.Mindtree agile offering.
Mindtree agile offering.
 
Agile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USA
Agile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USAAgile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USA
Agile Methodology in Testing A Beginner’s Guide By QA Company in Dallas USA
 
Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
 

Recently uploaded

Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
PB Project 1: Exploring Your Personal Brand
PB Project 1: Exploring Your Personal BrandPB Project 1: Exploring Your Personal Brand
PB Project 1: Exploring Your Personal BrandSharisaBethune
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Americas Got Grants
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Doge Mining Website
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxsaniyaimamuddin
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
Call Girls Contact Number Andheri 9920874524
Call Girls Contact Number Andheri 9920874524Call Girls Contact Number Andheri 9920874524
Call Girls Contact Number Andheri 9920874524najka9823
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 

Recently uploaded (20)

Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
PB Project 1: Exploring Your Personal Brand
PB Project 1: Exploring Your Personal BrandPB Project 1: Exploring Your Personal Brand
PB Project 1: Exploring Your Personal Brand
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
 
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
Call Girls Contact Number Andheri 9920874524
Call Girls Contact Number Andheri 9920874524Call Girls Contact Number Andheri 9920874524
Call Girls Contact Number Andheri 9920874524
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 

5 Proven Success Strategies for your Software Security Program - LASCON 2013

  • 1. Success Strategies for Software Security Programs @BankimTejani #LASCON2013 Thursday, 24 October, 2013 1
  • 2. Background Began career as a software developer Transitioned to information security & software security Worked to establish software security programs Trained developers, architects, managers, and security teams Currently: Senior Security Architect at ServiceMesh Thursday, 24 October, 2013 2
  • 3. Scoping Compliance Triage Incident response Punishing development teams Magic tools you can buy Thursday, 24 October, 2013 Proactive iterative improvement Repeatability & predictability Empowering development Hardened software Using tools effectively 3
  • 4. Success Strategies Developer Education & Learning Software Security Roadmap Integration to Development Teams’ SDLC(s) Use Tools Effectively Join the Development Team Thursday, 24 October, 2013 4
  • 6. Developer Education Security is an afterthought in developer education Top curriculums still treat security as advanced topic Organizations invest little in skills development Training can check boxes or teach, but rarely both Thursday, 24 October, 2013 6
  • 7. Training Options Formats Computer-based training In-person lecture courses In-person workshops Lunch & Learn Tribal Thursday, 24 October, 2013 7
  • 8. Case Study: Learning Org 1 Org 2 Mandatory CBT awareness training 1 developer per team received in person technical training on generic code Thursday, 24 October, 2013 All developers received in person technical training Their application was the primary code used Specific focus on fixing top issues in their code 8
  • 9. Case Study: Learning Org 1 Org 2 Development continued as normal Fixed 10x the requested number of issues Few issues got fixed Proactively identified problem areas and sought help if needed Relied on security to tell them what to do Re-applied good patterns to new code Thursday, 24 October, 2013 9
  • 10. Developer Education Tips Must have buy-in from management Vendors can help, but choose wisely Invest in everyone, not subsets Use your own code, where possible Commit to follow-up actions Developers move & change, so refreshers needed Thursday, 24 October, 2013 10
  • 11. Software Security Roadmap Thursday, 24 October, 2013 11
  • 12. Software Security Roadmap Year 1 Year 2 Year 3 SQL Injection Race conditions Error handling XSS Unreleased resources Dead code removal Web server configuration Additional configuration Log forging Other Injections Session related issues Thursday, 24 October, 2013 Information leaks API abuse 12
  • 13. Software Security Roadmap Identify & communicate software security goals Make security a planned requirement Empower & reward teams to be ahead of the curve Reduce untimely security blockers Achievable, measurable results Thursday, 24 October, 2013 13
  • 14. Case Study Org 1 Identified 3 top issues for year 1, based on prior audits & incidents Prioritized future years, as a rough draft Trained developers only on current priorities Thursday, 24 October, 2013 Org 2 Actively avoided prioritizing Crafted a metric weighting vendor-provided criticality Created arbitrary success line of vulnerability density 14
  • 15. Case Study Org 1 Significant drop in key issues Top development teams planned ahead, got rewarded Trained developers only on current priorities Thursday, 24 October, 2013 Org 2 Development teams gamed the system, did minimum Failed internal audit Expended too much political capital to rearchitect program 15
  • 16. Roadmap Tips Must have buy-in from management One roadmap isn’t likely to fit all teams & app types Negotiation is a good thing Roadmap should drive investment in tools & training Thursday, 24 October, 2013 16
  • 17. Integration to SDLC(s) Thursday, 24 October, 2013 17
  • 18. Integration to SDLC(s) Software security is an ex post facto activity SDLCs are methodologies that aim to make software development predictable & manageable Types: Waterfall, Spiral, Agile, Extreme, etc Empowering security in development necessitates having security managed in their SDLC Thursday, 24 October, 2013 18
  • 19. Secure SDLC Activities Thursday, 24 October, 2013 19
  • 20. SDLC Integration Tips Treat security changes and features as product requirements Business priorities drive SDLCs, so security must be tied to business goals Requires security to be part of the development team Thursday, 24 October, 2013 Processes don’t change, they evolve Every activity must be planned, manageable, and achievable Opportunity for security team to learn & grow Trying is succeeding 20
  • 21. Use Tools Effectively Thursday, 24 October, 2013 21
  • 22. Use Tools Effectively Software security tools: Static analysis Ability to find vulnerabilities greatly exceeds the ability to fix applications Dynamic analysis There are no bad tools Testing & attack tools Selecting the right tool for the right job isn’t easy Scanners & checkers Thursday, 24 October, 2013 22
  • 23. Tool Selection & Usage Software Security Roadmap should drive selection criteria Different software stacks often require different tools Empower teams to integrate tools into their SDLC Structure usage & success around roadmap & training Thursday, 24 October, 2013 23
  • 24. Case Study Team A Had quality-centric static analysis in place Forced to adopt a security-centric static analysis tool Wasted time & energy to implement something with little tangible gain Thursday, 24 October, 2013 Team B Automated static analysis tool to run with every weekly build Re-configured results to align to agreed roadmap Measured improvement against roadmap every release 24
  • 25. Tool Tips Vendors are neither friend nor foe Tune settings and results to fit your roadmap & SDLC Automation is often more valuable than ease of use Enable users to quickly go to actionable items Thursday, 24 October, 2013 A quicker feedback cycle is vital to developer productivity False positives happen, get over it False negative happen, plan for it 25
  • 26. Join the Development Team! Thursday, 24 October, 2013 26
  • 27. Join the Development Team! Core concept of DevOps, Rugged models Move security from corporate function to a development team or product function Requires security teams to contribute to software goals Take ownership and drive improvements Thursday, 24 October, 2013 27
  • 28. Lessons Learned Prioritizing is a continuous balancing act Credibility improves when you’re a peer, not oversight Security improvements can happen organically More vulnerabilities averted at early stages Opportunities evolved as a result Thursday, 24 October, 2013 28